The 26th of April
April 1998. A student in Taiwan ships a parasitic .exe. It lies dormant until Chernobyl's anniversary, then it overwrites the flash BIOS on thousands of PCs.
Briefing
A floppy arrived with cracked games. One binary is `CIH.EXE`, parasitic, infects other PE headers, no mass mailer. The scary part is what happens on a specific calendar day. You have strings and a disassembler summary, not a live infected machine.
Your role
AV analyst reconstructing a submitted sample flagged by a reseller in Seoul.
Objective
Identify the payload class, its trigger date, and why antivirus heuristics called it CIH / Chernobyl.
Terminal environment
- user
- analyst
- host
- iso-pc
- cwd
- /home/analyst
- steps
- 3
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.